### The requested URL can't be reached
The service might be temporarily down or it may have moved permanently to a new web address.
140278599439040:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO sslv3 alert handshake failure:../../vendor/node/deps/openssl/openssl/ssl/s23_clnt.c:802:
If I use this website: https://apitester.com/ to call to my URL it works fine
But with this one it fails too: https://client.restlet.com/ throwing the error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
My web server is (include version): nginx 1.10.3
The operating system my web server runs on is (include version): ubuntu 16
I can login to a root shell on my machine: yes
I’m using a control panel to manage my site: no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.26.1
That’s because the default options for the nginx installer plugin is to disable SSLv3.
It is adviced to disable SSLv3 because of security flaws in the protocol. It was deprecated in June 2015 by RFC7568. In 2014, SSL 3.0 was found to be vulnerable to the POODLE attack that affects all block ciphers in SSL; RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.[18]
You could enable SSLv3, but I would strongly advice against it.
The reason restlet.com doesn’t work is probably because they’re using an old version of Java.
Hmm. Somehow I don’t think it’s simply due to SSLv3 - I happen to have Advanced Rest Client installed, and it connects just fine to my own home server, which only speaks TLS 1.2 and of course also uses a Let’s Encrypt certificate. Sure enough though, I get that same error when trying to connect to https://dev.www.triunfamos.com.
… opens wireshark …
I think the problem might be a mismatch of supported elliptic curves. What is ssl_ecdh_curve set to in your nginx configuration?
@jmorahan
root@profuniv-desa:/etc/nginx# grep ssl_ecdh_curve *
grep: conf.d: Is a directory
grep: geoip: Is a directory
grep: sites-available: Is a directory
grep: sites-available.BAK: Is a directory
grep: sites-enabled: Is a directory
grep: snippets: Is a directory
grep: ssl: Is a directory
Okay so try editing the file snippets/ssl_letsencrypt.conf and changing that line from: ssl_ecdh_curve secp384r1;
to: ssl_ecdh_curve auto;
or possibly just delete the line entirely.
That might be the default for your nginx version by the way. The docs say the current default is "auto", but that wouldn't be the default of your version obviously.